El Polocker
El Polocker or Los Pollos Hermanos is a ransomware that runs on Microsoft Windows. It is based off Breaking Bad. It is aimed at Australian users. Experts found the Romanian trace in the code of the malware, indicating the Romanian origin of the malware. Based on Symantec's analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware. Payload Transmission El Polocker uses social engineering techniques as a means of infecting victims. It is distributed by fake DHL penalty notices that request payment of unpaid fees. It contains a link to a file hosted on DropBox, which contains the VBS Penalty.vbs file. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file. Infection When it is launched, it will download and execute the PowerShell script, which is the main component of El Polocker. The PowerShell script starts by injecting Reflect.dll into Explorer.exe using a script from PowerSploit, and then executes the DLL’s VoidFunc function. This function downloads t.dll to perform cleaning on the computer, delete shadow copies of files, disable system recovery in the registry and automatically fix errors when loading Windows. The PowerShell script will then contact the Command & Control Server with the following POST query: http://193.xxx.xxx.xxx/wall/getKey.php?UUID=&pcName= The C2 server will send back the unique bitcoin address and a master public encryption key that will be used to encrypt the AES keys used to encrypt the user's files. The PowerShell script will begin to search all drive letters and network UNC shares for files matching certain file extensions and encrypt them with symmetrical AES encryption. When encrypting the files it will use a unique AES key for each file. This unique key will then be encrypted with the downloaded RSA encryption key and stored along with the associated filename in the seckeys.DONOTDELETE file. Any encrypted files will have a .HA3 extension appended to the filename. The targeted file extensions are: .jpg, .csv, .vsdx, .ai, .pub, .one, .dotx, .xml, .doc, .xls, .docx, .xlsx, .crt, .pem, .p12, .db, .mp3, .jpg, .jpeg, .txt, .rtf, .pdf, .rar, .zip, .psd, .msi, .tif, .wma, . lnk, .gif, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ods, .raw, .pst, .ost Not only will El Polocker encrypt files on the victims's drives, but it will also encrypt data found on unmapped open network shares. The only other known ransomware that scanned for and encrypted Windows shares was CryptoFortress. When it has completed, it will display a variety of ransom notes and display a ransom screen that contains instructions on how to purchase the decryption key. One of the ransom notes contains the Los Pollos Hermanos' branding image found in Breaking Bad. Along with this, part of the email address used in the extortion demand is based on a quote by the show’s protagonist Walter White, who declared "I am the one who knocks." The payment instruction note links to a legitimate video tutorial on how to obtain Bitcoins. The attackers did this to assist victims with paying the ransom. It also opens another YouTube video in the background. This video is a song used in a fictional radio station in the game Grand Theft Auto V, which some fans believe is a shout-out to Breaking Bad. Category:VBS Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan